Incident Response: Having a Plan in Place For Your Business

A cyber attack can happen to businesses of any size or structure. In order to protect your data and your systems, it is important to have a plan in place. This means having protocols in place for dealing with a cyber threat, and making sure all of your employees are aware of the plan and know what to do if an attack occurs. In this blog post, we will discuss the importance of incident response planning and how you can secure a structure that is right for your business.

What is an Incident Response Plan?

An incident response plan is a procedure, or set of procedures, put in place to best prepare a business to tackle a successful cyber attack. This is usually a full plan covering crucial steps including identification of the cyber attack itself and implementation of future steps to prevent a reoccurring attack. The plan is designed to detect, respond to, and limit consequences of a malicious cyber attacks against an organisation’s information systems.

What Does an Incident Response Plan Achieve?

First, it helps to ensure that everyone knows what to do in the event of a cyber attack, the plan and procedures. This can help minimize the damage caused by an attack, as well as help you recover more quickly. Additionally, having a plan in place shows that you take security seriously to clients and suppliers and therefore are prepared to deal with any cyber attacks that may pose a threat. This can help to deter attackers, as they are more likely to target businesses that do not have strong security measures in place.

Investing in an Incident Response Plan

When investing in an incident response plan, you are more than covered in the event of an attack. A plan set in place will not only create a structure for your employees but show your clients and suppliers that you value your security in your business, putting their minds at ease in the event of a cyber attack. An incident response plan includes: identification of the cyber attack, clarification on any malicious activity, implementation controls to prevent any recurrence of attack and regular penetration tests or vulnerability scanning to provide ongoing understanding of your threat landscape.

Benefits of an Incident Response Plan

There are many benefits, including:

• Reducing the risks of a successful attack.
• Quickly identifying and responding to an attack.
• Minimising the damage caused by an attack.
• Showing that you take security seriously within your organisation.
• Deterring attackers from targeting your business.

All these benefits massively reduce the aftermath of a cyber attack and help your business stay on track and return back to business as soon as possible. Without an incident response plan, the risk of your business being irreversibly damaged is highly likely, so investing is a no brainer.

What’s Included in our Plan?

Our Incident Response Plan here at Pentest People includes:

• Confirmation of attack.
• Identification of the systems affected
• Identification of malicious activity.
• IOC Gathering – Determining the cause of attack.
• Regular Vulnerability Scans.
• Dark Web daily scans.
• Regular Penetration Tests.

To ensure your business safety, enquire today about our Incident Response Service.

Our Incident Response team shared their frontline experiences with IR and the importance of having an Incident Response plan in place.

Today, we are here with our incident response team, Ian and Liam, who are going to talk you through that frontline stories about incident response and their individual experiences. So firstly, what is incident response?

Well, thanks for the introduction. And I think, generally speaking, incident response would be anytime there’s been a serious outage of IT that may be because of malicious actions, or kind of an act, any kind of accident in the workplace that requires a team of experts to come in and help to resolve the issue, be that in helping to contain or quarantine malicious files, or in helping to get kind of services back online and returning to business as usual? If you have a little bit more experienced in the field then is that what you describe it as?

Yeah, pretty much. You’re right, though Liam. Yeah, I would say it’s pretty much process based. And it follows sort of the seven steps recommended by NIST. So we’d look at the preparation, Containment Eradication of the incidents. Also, there’s the digital forensics side, which is slightly slightly off incident response, but is certainly definitely part of, of the package that will go into the more technical side, looking into malware, various things like that. The importance within incident response, yes, preparation. So preparation is key. If you can get your preparation nailed down with regards to login, and collecting all the evidence, the rest of the steps should fall into place quite easily. Their incident management takes quite a big role in incident response. And so it’s about getting those key contacts down. So if and when the worst happens, and I say when, because is when we’ll all get hit eventually, at some point. So when the worst happens, as long as your incident response plan is kept up to date, and is tested regularly, a response should be relatively easy. Unfortunately, due to cost in across the board, small businesses tend to get left behind. And this is this is where we can step in, and provide that level of guidance that perhaps they’ve they’ve missed out.

So it is really crucial for businesses to have an incident response plan in place?
It is Crucial as the most important most important step of incident response. By far, that preparation, that incident response plan that will tell people exactly what to do. Should an incident occur, also playbooks come into play. So we have playbooks which would guide us through an incident. So for instance, if he was the victim of a ransomware attack, a ransomware playbook would guide you through the steps to eradicate will contain the mitigate the ransomware. So the preparation side and the incident response plan, and the playbooks Paul, all coming together the initial step, so yeah, by far the most important factor is to have an up to date history of response plan.

And also, just to add to that, making sure you test it regularly as well. So it’s not the first time you have an incident isn’t the first time people are reading this incident response plan and running around. You can see, quite commonly, especially when is the first time these things have happened. And people haven’t been drilling their incident response plan. They haven’t practised it properly. The end result is so many headless chickens running around. And that actually just confuses the issue as well, that’s almost more dangerous than not having one. You, you end up in this kind of blind panic, where nobody really knows what they’re doing. And that and that can be incredibly detrimental, especially when you’re trying to return to business as usual.

Yeah, thats a really good point, and we’ve started to put together some tests that, that we can test into response plans. We’ve got the ransomware tabletop exercises, we’ve got supply chain tabletop exercises. And as I’ve just said that it is crucially important to test them it’s okay to have it in place and leave it for two years but people move in the business people leave businesses and perhaps the contacts that you have on on your incident response plan is not valid anymore. And if that’s the case, the incident response plan falls down. And yeah, chaos ensues. So you’ve got to make sure it’s updated.

Absolutely, I mean, that should be part of your kind of changes leavers starters process is, is making sure that that doesn’t impact your business continuity or incident response plan. So it’s a vital part of change control, really. And, yeah, again, we’d always recommend that you do pen testing every year. And having those those tabletop exercises as part of that security testing plan is, is quite vital. It’s you know, you don’t know the holes in something until somebody comes in and kind of shows them to you, it’s very incredibly difficult to mark your own homework and, and that’s why we would always recommend, including that kind of testing in the wider security testing programme that most businesses will already be engaging in.

They made a really good point there as well, actually, business continuity plans, disaster recovery plans, incident respons and incident response plans, they all play into into the same thing. And they should all be developed together, side by side, and inform each other. So yeah, that’s a really good point, you’ve made there. And it’s important to make sure that they reflect each other within the documentation. So disaster recovery plan should be referenced in your incident response plan, as should your business continuity plan, just because it isn’t a necessarily a security incident or ransomware attack, you could still common to the same problems if there was a flood or a natural disaster, and you lose your it that way. Sure incident response plan that’s going to get you back up and running.

Have you both got any stories to tell?

Just one or two. Well, without naming names, of course, there’s been a couple of incidents that I’ve been involved with both on the kind of responder side of things and also the victim side of things. And the big thing that is true throughout all of them is panic. People just start to panic. It’s understandable. You’ve spent 5 to 10 years building a business, it’s doing well, you know, you’re providing for your family. And suddenly, the reality of that is suddenly called into question like, are you able to keep doing this? Are you able to keep going, and it’s natural that people are going to be quite nervous. You’ve got to force yourself to try and be as calm as we can, right how we’re going to deal with this. Let’s approach the problem logically, I come from a pen testing background myself. And this is that kind of panic is something we rely on when we’re doing Red Team engagements, will purposely tries to cause people to not know what they’re doing cause chaos, injecting noise into communication streams, to prevent people from accurately responding to problems. If you’ve got all this noise, all this chaos going on. Nobody knows what’s going on. You can’t get ahead of a problem. And pentesters red teamers, they rely on that. And so will assailants be that a PTS or just you just so happened to be unlucky enough that one of the ransomware groups has managed to get into your network, the number one killer for those businesses, when they’re part of that responding or they’ve discovered an incident, they’re starting to respond to it. The number one killer of those is panic. And it’s it’s understandable why people do panic. But you’ve just got to train yourself to make sure that number one, the first thing you do when you hear ransomware is go start an instant response plan, go into that business continuity plan, don’t lose your head.
Its intresting in thoughts as well around incident response. And what you’ve just mentioned now is is exactly true. It is important to step back from the incident. And just take a minute, take it all in and see what’s happening. Keep calm, and then address it from that point. Running around, shouting and screaming doesn’t help. But unfortunately, that tends to be the norm. And the reason that is the norm is exactly as you’ve just mentioned that no incident response plan at all. So panic isn’t good. Panic isn’t good. And as we’ve just said, get back to that incident response plan.

Well, thank you both for highlighting the importance of having an incident response plan and why it is so crucial for businesses to invest in an incident response plan. Thank you to the IR team for sharing their experiences. Stay tuned for next week.